User connectivityActive Directory resourcesADFS configuration over SAML 2.0 requirementsAuthentication Type 2 with multiple group support

Authentication Type 2 with multiple group support

To configure Transact in a configuration with ADFS over SAML 2.0 with Authentication Type 2 and multiple group support, follow the instructions in this topic.

Authentication Type 2 uses SSO for authentication and authorizing. Users enters the user name on the SSO log on page that is forwarded as a SAML request to the Identity Provider. Transact receives the user name and associated groups with the user as a SAML response.

The system can be configured so a user is assigned to only one group, as shown in Authentication Type 2. The user automatically gets the rights assigned to that group. You can configure the system so a user can be associated with more than one group. Use the information below to change the configuration files to support this option.

Be aware of the differences between Admin and Super Admin groups in Transact. Only Super Admin users have access to the System Configuration page. Admin users have access to all pages except System Configuration. Be sure to assign users to the correct group.

Prerequisites

This configuration requires the following to be installed.

  • Active Directory Federation Services

  • Active Directory

  • Ephesoft Transact

In addition to the files listed in Authentication Type 2, you also need application.properties.

Components

The following components require additional configuration to support ADFS over SAML 2.0 with Authentication Type 2 with multiple group support. You also need to complete the configuration tasks listed in Authentication Type 2.

When you finish changing the property files, restart the Transact service.

web.xml

Change the following:

  • Uncomment the multi-group functionality section.

  • Change groupNameDelimiter from semi colon (;) to comma (,).

  • Add the group names in AdminGroups and OperatorGroups to the groups to which you want to provide Administrator and Operator roles, respectively. If you have more than one group, separate them with commas (,).

A sample configuration file can be downloaded here.

application.properties

This file is used to define Super Admin group names. To provide super admin roles to more than one group, separate the two groups with a double semicolon (;;).

The following properties need to be changed:

  • user.super_admin: Define the Super Admin groups.
  • update_super_admin_group: Change the flag to true.

The following example of the application.properties file shows how these properties are set.

application.properties file settings for Super Admin groups
A sample configuration file can be downloaded here.
applicationContext-Security.xml

In the epheSamlFilter bean, set the value of <constructor-arg index="2" from true to either of the following:

  • Change to false: 

    <constructor-arg index="2" value="false"/>

  • Left as blank: 

    <constructor-arg index="2" value=""/>